I'm gearing up to set up multiple MacBooks in our organization, and they're already enrolled in ABM with users configured through Entra federation. I've got Intune set up with basic profiles to install essential apps like Office, Company Portal, Edge, Defender, and OneDrive, as well as the SSO extension. However, I want to enhance the first login experience so that the Company Portal is readily accessible without digging through Spotlight. I'm also curious about whether it's feasible to use Entra identity for signing into a Mac. Has anyone out there faced a similar situation and found any useful guides or tips recently? I'm pretty confident with Autopilot and Windows setups, but the Mac side is new territory for me.
2 Answers
Regarding signing in with Entra, Apple introduced a feature called platform SSO. It appears to have moved past the preview stage, so it's worth looking into. I never fully implemented it, but here’s the link to the Microsoft guide if you want details: https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos.
I had a hard time getting this to work with our MDM. It wouldn't create a new user unless someone logged in to Intune first, which defeats the purpose of sending the Mac directly to a user. Plus, the username ends up being 'user.namedomain.com.' I've been stuck on this issue too, and even support from SimpleMDM hasn’t been able to help, citing it as an Apple limitation. Oh, and the lock screen WiFi selection is totally frustrating—makes setup a pain!
In a past job, we transitioned our Macs away from Active Directory and played around with Entra and Intune direct enrollment. While it worked, there was a fair amount of manual setup involved. Eventually, we decided to go with Jamf, and after a couple of weeks refining the setup, we could send Macs directly to users. They just had to log in with an internet connection, and everything was set up seamlessly every time. We customized the dock, set up the Kerberos extension, and installed apps based on AD group memberships. It made a huge difference! Now I'm embarking on a similar project in my current job—waiting for the tester Mac before diving into zero-touch enrollment.
There's also a helpful Mac Admins Slack group where you can ask questions. I've found it super useful for troubleshooting. You might want to check out MacAdmins.org for that.